Author: Samuel WilliamsWhen: Wednesday, 17 October 2012
I recently updated one of my projects Library Inspector for OS X 10.8. After a month of waiting, it was finally rejected (!#@$%!@) due to problems with the code signing entitlements. The Apple Reviewer was very vague about the problem which caused additional frustrations (%!@#$%) but after searching I found a very helpful application RB App Checker Lite which can check the certificates, entitlements and other details of your application likely to cause problems.
I actally emailed Rainer Brockerhoff since I figured he'd have a lot of experience (and I gave him a free copy of Library Inspector to sweeten the deal). He told me that for NSTask based task invocation I'd need to encode the entitlements directly into the binaries, which I wasn't doing.
To make things even more complex, the binaries I am including in the application bundle are actually copied from Xcode (nm, otool, c++filt, etc) and class-dump (a fantastic tool by the way!). So, I am ripping out the existing Apple signatures and adding my own. This is because you can't submit other people's code signed binaries to the Mac App Store.
Anyway, here is what I ended up with:
This is the main entitlements file for Library Inspector.
Auxiliary Executable Entitlements
This is the entitlements used for the auxiliary binaries.
Of particular importance is the com.apple.security.inherit property. When Library Inspector, itself running in a sandbox due to com.apple.security.app-sandbox invokes tasks using NSTask, it will itself run in a sandbox and inherit the permissions of Library Inspector so it can read any relevant input files (normally provided as arguments).
Code Signing Script
This Ruby script is used as a build phase within Library Inspector and signs the auxiliary executables if a signature was specified. For your own application you'd need to update the list of tools and the identifier base.
Now I just have to submit the application and wait for a month for Apple to review it... Fingers crossed that everything is fine this time through the system.
Addendum, March 2013: Quicklook Plugins
I found that there are some issues when the above approach is used with Quicklook Plugins. I found that my external processes were crashing with the following type of error:
I narrowed it down to the entitlements. It turns out that the Quicklook Plugin Host doesn't seem to run in a typical sandbox (as far as I can tell), and thus trying to use the inherit entitlement doesn't work. Simply removing the entitlements file arguments ('--entitlements', entitlements) from the above code signing script fixes the issue. This works because the executable no longer tries to inherit sandbox permissions from the parent, but I'm not exactly sure why this is an issue. It seems like this is only affects Mac OS X 10.8.2+ but I haven't had a lot of experience with this problem yet.